Whose email domain should you use for system emails?

Whose email domain should you use for system emails?

Introduction

Many companies run campaigns to raise user awareness around phishing and malware and while these campaigns do raise awareness, they also create user uncertainly about which emails are valid, so system emails need to be designed so users can identify which emails are legitimate. One key factor is the email domain, which users could potentially use to identify which emails are legitimate. So which domain should you use?

Which domain?

When implementing a new system that will send emails, should you use the vendor or company email domain? Often the choice is made to use an email address in the company’s domain. Companies do this because they hope that if the email comes from their email domain users will trust the emails enough to open, read, click on links and respond. The new system will not be successful if users ignore the emails or report them as phishing. Using your company’s email domain could make emails more legitimate to your users, but before you decide to do that, there are a few things you should be aware of.

Disadvantages of using your company domain

  • You are trusting an external company with the ability to send emails to anyone inside or outside your company from any address in your domain. 
    • Once you add entries to your SPF and/or DKIM records they are authorized to send from any address in that domain.
  • Setting up a system to send from a new domain takes a lot of work these days. 
    • SPF and DKIM records must be added, updated and verified
    • As part of the intake process, you will now need to assess the security risks posed by the fact the system is authorized to send from your company domain, which adds work to the setup process.
  • If you use your company email domain, you are accepting a larger share of the responsibility for the deliverability of the emails.
    • SPF record needs updating, that’s you.
    • DKIM keys changed, also you.

Some vendors double-down on the concept of sending from customer’s domains by also spoofing the user’s email address, so the email looks like it comes from the user. This is a bad idea which keeps coming back, like bell-bottoms. This design will run afoul of systems designed to detect spoofing and has other technical limitations, so please continue reading for better alternatives. 

Send from the vendors’ domain

If you are thinking authorizing vendors to send from your user domain(s) is not such a good idea, what are the alternatives? At DMARC Envoy, we believe in giving the vendor as much responsibility for delivering their system emails as possible. That means vendors should send from their domains, not yours. 

SharePoint Online is a good example of how we think system emails should look. SharePoint sends from a Microsoft domain and adds information to the subject and body so the recipient can make the connection between the email they received, the system that sent the email, and the person who took the action, for example sharing a file on a SharePoint site.

You might be thinking, didn’t Microsoft add the ability to SharePoint to send emails from customer domains? Yes, they did. Microsoft is in a special position because Office 365 is already authorized to send from their customer’s domains, and we believe most systems should send from the vendor’s domain.

Send from your company domain

If after reading this you decide using your company domain is the best fit for your new application, there are still ways to reduce security and operations risks.

 If the application doesn’t support authentication or it’s not a good fit for some other reason, another alternative is to set up an application subdomain. If the company email is @company.com the system sends from @appplication.company.com. You need to add the new subdomain, SPF, DKIM, and DMARC records, but you gain granularity, allowing you to set u the domain specifically for the capabilities and requirements of the system. When the system has been set up in a subdomain it will not be able to impersonate your users (a good thing) and you won’t risk messing up your main SPF record.

 Summary

System emails are important for the flow of business information and as part of digital business processes. Application emails must be designed so that users can identify the application that sent the email, the purpose of the email, and the person who generated the email so that they will open, read, and respond. Security and maintenance are primary concerns, which can be optimized by using the vendor domain for system emails.

Whose email domain should you use for system emails?

Better Alternatives to whitelisting for ensuring email delivery

Introduction

Email is used by businesses every day. Business correspondence is a core use, but email is used by applications to send surveys, notifications, data exchange, reports and alerts. Email’s universal adoption makes it a prime target for hackers looking to compromise businesses so it must be protected by filters to protect users, but which also risk stopping important emails. To make things more complicated, each antivirus vendor creates their own filters to detect unwanted emails and companies themselves often make further adjustments based on their own security rules and procedures. Feedback is not sent back to the sender for quarantined emails to avoid revealing information that could be used by bad actors.

In the face of uncertainty regarding email deliverability, business partners using email as part of their service often request email addresses or domains whitelisted to guarantee emails are delivered to recipients. While this does have the intended effect, I believe it is not the right approach.

Why Whitelisting is the wrong approach

Note, this article focuses on whitelisting as it relates to applications, as this is where I see most requests for whitelisting. If you are a business with your own email domain, and you are having issues with delivering regular emails to your customers, start by checking you have configured SPF and DMARC. Most email providers create suggested records you can add to DNS, and this should noticeably improve the situation.

As most people are aware, it is very easy to forge the sender email address.  Once a company has whitelisted an email address, anyone on the Internet can use that address to send to the company, and it will be delivered to the recipient’s inbox.  Worse yet, if the sending company is sending from the same email address to multiple companies, which have all whitelisted the address, the same forged email address could give access to many companies. This is bad for the receivers, but also for the company that owns the email address. What company wants to be responsible for their customers being compromised?

Alternatives to whitelisting

As the person responsible for your company’s email, what should you do when you receive a request for whitelisting? Luckily, developments in email authentication have made whitelisting largely unnecessary. Once you have decided not to whitelist, what should you do instead? Here are my recommendations:

First, the sending company should take as much responsibility for the delivery of their emails as possible. This means configuring SPF, DMARC and preferably DKIM on their end. Emails need to align with DMARC. (DMARC alignment is outside the scope of the article but look for an article on the subject here soon.) DMARC policy for the sending domain/subdomain should be set to quarantine or reject, but any DMARC record better than none. If the sender doesn’t send their emails so that their emails are deliverable, there isn’t much the receiver can do.

If you are thinking this is more work than just whitelisting the requested addresses, that’s true in the short run, but you are investing in better security and less maintenance down the road. In my experience vendors/business partners are willing to make changes if you make the effort to explain why it is important and help them understand what changes need to be made.

Once the above configuration is done, the receiving company should check that their email filters do not quarantine emails based on the volume of emails from a sender. Although some senders throttle emails to avoid this type of filter, it isn’t effective and is just one more thing that can go wrong.

Additional steps to take if emails are still going to quarantine

Hopefully, the above recommendations are enough, meaning no more setup is needed to ensure email delivery, but if system emails are still going to quarantine, here are a few more things you can do.

If you have implemented the above recommendations and emails are still going to quarantine, we suggest adding the email address to a DMARC pass rule, which allows emails from specific addresses when they pass DMARC. You can set up a single rule for DMARC pass and then add email addresses to the rule as necessary. Setting up the rule will be different depending on the email system you are using. Some systems allow you to create a rule directly based on DMARC results, while others require you do this via x-headers.

The difference between traditional whitelisting and using a DMARC pass rule is that a bad actor cannot spoof the email address and pass the rule, even if they know the rule exists. The DMARC pass rule relies on DMARC so the first step is always for the sender to set up DMARC and then add addresses to the rule as necessary.

Conclusion

By deciding not to whitelist you improve your company’s email security and even make email a bit more secure for everyone by encouraging vendors to implement DMARC.

Additional note

While you are at it, why not check if you have whitelisted addresses that are no longer needed. You could start by removing inactive addresses (you can use message trace to identify inactive addresses). Once you have removed inactive addresses you could check for active addresses you can move from your whitelist to your new DMARC pass rule. I suggest making changes gradually over a few days, in case something unexpected happens, you won’t affect multiple systems at once.

How to Create Custom Post Types in WordPress

How to Create Custom Post Types in WordPress

What is Custom Post Type in WordPress?

Custom post types are content types like posts and pages. Since WordPress evolved from a simple blogging platform into a robust CMS, the term post stuck to it. However, a post type can be any kind of content.

By default, WordPress comes with these post types:

  • Post
  • Page
  • Attachment
  • Revision
  • Nav Menu

You can create your own custom post types and call them whatever you want.

For instance, if you run a movie review website, then you would probably want to create a movie reviews post type. This post type can have different custom fields and even its own custom category structure.

Other examples of post types are Portfolio, Testimonials, Products, etc.

Many popular WordPress plugins already use custom post types to store data on your WordPress website. The following are a few top plugins that use custom post types.

  • WooCommerce – Adds a product custom post type to your WordPress site.
  • WPForms – Creates a wpforms post type to store all your forms
  • MemberPress – Adds a memberpressproduct custom post type

When do I need a custom post type?

Check out our article about when do you really need custom post types or taxonomies in WordPress.

Also take a look at WPBeginner’s Deals and Glossary sections. These are custom post types that we created to keep these sections separate from our daily blog articles. It helps us better organize our website content.

You will also notice that we are using custom taxonomies for them instead of categories or tags.

That being said, let’s take a look at how to easily create custom post types in WordPress for your own use.

Method 1. Creating a Custom Post Type – The Easy Way

The easiest way to create a custom post type in WordPress is by using a plugin. This method is recommended for beginners because it is safe and super easy.

The first thing you need to do is install and activate the Custom Post Type UI plugin. Upon activation, the plugin will add a new menu item in your WordPress admin menu called CPT UI.

Now go to CPT UI » Add New to create a new custom post type.

Meet the 2020 Season 1 dmarc envoy Super Users!

Meet the 2020 Season 1 dmarc envoy Super Users!

Post Content Heading 1

Post Content Paragraph Text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vitae congue libero, nec finibus purus. Vestibulum egestas orci vel ornare venenatis. Sed et ultricies turpis. Donec sit amet rhoncus erat. Phasellus volutpat vitae mi eu aliquam.

Post Content Heading 2

Curabitur a commodo sapien, at pellentesque velit. Vestibulum ornare vulputate. Mauris tempus massa orci, vitae lacinia tortor maximus sit amet. In hac habitasse platea dictumst. Praesent id tincidunt dolor. Morbi gravida sapien convallis sapien tempus consequat.

Post Content Heading 3

Post Content Block Quote. Vehicula velit ut felis semper, non convallis dolor fermentum. Sed sapien nisl, tempus ut semper sed, congue quis leo. Integer nec suscipit lacus. Duis luctus eros dui, nec finibus lectus tempor nec. Pellentesque at tincidunt turpis.

Post Content Heading 4

  • Vestibulum posuere
  • Mi interdum nunc dignissim auctor
  • Cras non dignissim quam, at volutpat massa
Post Content Heading 5
  1. Ut mattis orci in scelerisque tempus
  2. Velit urna sagittis arcu
  3. Mon ultrices risus lectus non nisl
Post Content Heading 6

posuere nec lectus sit amet, pulvinar dapibus sapien. Donec placerat erat ac fermentum accumsan. Nunc in scelerisque dui. Etiam vitae purus velit. Proin dictum auctor mi, eu congue odio tempus et. Curabitur ac semper ligula. Praesent purus ligula, ultricies vel porta ac, elementum et lacus. Nullam vitae augue aliquet, condimentum est ut, vehicula sapien. Donec euismod, sem et elementum finibus, lacus mauris pulvinar enim, nec faucibus sapien neque quis sem. Vivamus suscipit tortor eget felis porttitor volutpat. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Heads up: E-Mail Subscription support for external e-mail addresses is coming soon

Heads up: E-Mail Subscription support for external e-mail addresses is coming soon

Post Dummy Content Heading 1

Post Content Paragraph Text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vitae congue libero, nec finibus purus. Vestibulum egestas orci vel ornare venenatis. Sed et ultricies turpis. Donec sit amet rhoncus erat. Phasellus volutpat vitae mi eu aliquam.

Post Content Heading 2

Curabitur a commodo sapien, at pellentesque velit. Vestibulum ornare vulputate. Mauris tempus massa orci, vitae lacinia tortor maximus sit amet. In hac habitasse platea dictumst. Praesent id tincidunt dolor. Morbi gravida sapien convallis sapien tempus consequat.

Post Content Heading 3

Post Content Block Quote. Vehicula velit ut felis semper, non convallis dolor fermentum. Sed sapien nisl, tempus ut semper sed, congue quis leo. Integer nec suscipit lacus. Duis luctus eros dui, nec finibus lectus tempor nec. Pellentesque at tincidunt turpis.

Post Content Heading 4

  • Vestibulum posuere
  • Mi interdum nunc dignissim auctor
  • Cras non dignissim quam, at volutpat massa
Post Content Heading 5
  1. Ut mattis orci in scelerisque tempus
  2. Velit urna sagittis arcu
  3. Mon ultrices risus lectus non nisl
Post Content Heading 6

posuere nec lectus sit amet, pulvinar dapibus sapien. Donec placerat erat ac fermentum accumsan. Nunc in scelerisque dui. Etiam vitae purus velit. Proin dictum auctor mi, eu congue odio tempus et. Curabitur ac semper ligula. Praesent purus ligula, ultricies vel porta ac, elementum et lacus. Nullam vitae augue aliquet, condimentum est ut, vehicula sapien. Donec euismod, sem et elementum finibus, lacus mauris pulvinar enim, nec faucibus sapien neque quis sem. Vivamus suscipit tortor eget felis porttitor volutpat. Lorem ipsum dolor sit amet, consectetur adipiscing elit.